NB-Public
/
passbolt-salt
mirror of https://github.com/netzbegruenung/passbolt-salt
13
1
Fork 0
Code Issues Releases Wiki Activity
Script to retrieve Passbolt passwords for Saltstack Pillars
14 Commits 4 Branches 2 Tags 78 KiB
Python 83.5%
SaltStack 10.2%
Scheme 6.3%
Go to file
Sven Seeberg f1750202be
Support local file for passbolt replacement 
* During development access to the Passbolt server may
  not always be possible. Allow a local file as fallback.
 		2021-05-29 16:59:15 +02:00
example Support local file for passbolt replacement 2021-05-29 16:59:15 +02:00
src/salt_passbolt Support new Passbolt API 2021-03-14 13:02:11 +01:00
.gitignore Initial commit 2020-02-01 18:50:15 +01:00
LICENSE Initial commit 2020-02-01 18:50:15 +01:00
README.md Support local file for passbolt replacement 2021-05-29 16:59:15 +02:00
setup.py Fix Passbolt API URL 2020-02-01 22:26:26 +01:00

README.md

About

This Python module retrieves passwords for Passbolt groups to make them available in Saltstack Pillar.

For development, a local file named [UUID].txt can be placed in the pillar directory. It needs to contain lines with the format

3ec2a739-8e51-4c67-89fb-4bbfe9147e17:MY_SECRET

License

MIT

Setup

  1. Clone this repo

  2. Go to directory, run (requires python3-setuptools)

    python3 setup.py install

  3. Create an Passbolt account for the Salt master.

  4. Copy the private and public PGP key files to /etc/salt.

  5. Import the private key with

    gpg --import /etc/salt/passbolt_private.asc

  6. Create a /etc/salt/passbolt.ini file with the following content:

    [PASSBOLT]
SERVER = https://passbolt.example.com
#SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]
USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]

  7. Change file permissions:

    chown salt /etc/salt/passbolt*
chmod 600 /etc/salt/passbolt*

  8. Create Pillar sls files where required with the content, replace the group UUID. Look into the example directory. Hint: you can find the Group UUID with the network tool of the browser by clicking on a group.

    #!py
def run():
    passbolt_group = "27b9abd4-af9b-4c9e-9af1-cf8cb963680c"
    from os import path
    file_path = path.join(path.dirname(path.realpath(__file__)), passbolt_group + ".txt")
    if path.isfile(file_path):
        with open(file_path) as f:
            data = {"passbolt": {}}
            for line in f.readlines():
                data["passbolt"][line.split(':')[0]] = line.split(':')[1]
        return data
    else:
        from salt_passbolt import fetch_passbolt_passwords
        return fetch_passbolt_passwords(passbolt_group)

  9. In state, reference secrets with their UUID. See the example/salt/important_secrets/files/secret.conf. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.

    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}